Statement for the Record. Rand Beers Under Secretary National Protection and Programs Directorate Department of Homeland Security

Transcription

1 Statement for the Record Rand Beers Under Secretary National Protection and Programs Directorate Department of Homeland Security Before the Committee on Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies United States House of Representatives February 11, 2011 Thank you, Chairman Lungren, Ranking Member Clarke, and distinguished Members of the subcommittee. It is a pleasure to appear before you today to discuss the Department of Homeland Security s (DHS) efforts to secure high-risk chemical facilities. As you are aware, the Department s current authority under Section 550 of the Fiscal Year 2007 Department of Homeland Security Appropriations Act, as amended, was set to expire in October 2010, but has been temporarily extended under the current Continuing Resolution. DHS is eager to work with this Committee, Congress, and all levels of government and the private sector to achieve passage of legislation that permanently authorizes and appropriately matures the Chemical Facility Anti- Terrorism Standards (CFATS) program. In the interest of facilitating that collaboration, my testimony focuses on the current program and the key principles that DHS would like to see guide the program s maturation. Chemical Security Regulations Section 550 of the Fiscal Year (FY) 2007 Department of Homeland Security Appropriations Act directed the Department to develop and implement a regulatory framework to address the high level of security risk posed by certain chemical facilities. Specifically, Section 550(a) of the Act authorized the Department to adopt rules requiring high-risk chemical facilities to complete Security Vulnerability Assessments (SVAs), develop Site Security Plans (SSPs), and implement protective measures necessary to meet risk-based performance standards established by the Department. Consequently, the Department published an Interim Final Rule, known as CFATS, on April 9, Section 550, however, expressly exempts from those rules certain facilities that are regulated under other federal statutes, including those regulated by the United States Coast Guard pursuant to the Maritime Transportation Security Act (MTSA), drinking water and wastewater treatment facilities as defined by Section 1401 of the Safe Water Drinking Act and Section 212 of the Federal Water Pollution Control Act, and facilities owned or operated by the Departments of Defense and Energy, as well as certain facilities subject to regulation by the Nuclear Regulatory Commission (NRC). The following core principles guided the development of the CFATS regulatory structure: 1

2 1) Securing high-risk chemical facilities is a comprehensive undertaking that involves a national effort, including all levels of government and the private sector. Integrated and effective participation by all stakeholders federal, state, local, tribal and territorial government partners as well as the private sector is essential to securing our critical infrastructure, including high-risk chemical facilities. Implementing this program means tackling a sophisticated and complex set of issues related to identifying and mitigating vulnerabilities and setting security goals. This requires a broad spectrum of input, as the regulated facilities bridge multiple industries and critical infrastructure sectors. By working closely with experts, members of industry, academia, and federal government partners, we leveraged vital knowledge and insight to develop the regulation. 2) Risk-based tiering to guide resource allocations. Not all facilities present the same level of risk. The greatest level of scrutiny should be focused on those facilities that present the highest risk those that, if attacked, would endanger the greatest number of lives. 3) Reasonable, clear, and calibrated performance standards will lead to enhanced security. The current CFATS rule includes enforceable risk-based performance standards. Highrisk facilities have the flexibility to develop appropriate site-specific security measures that will effectively address risk. The Department will analyze each final tiered facility s SSP to see if it meets CFATS performance standards. If necessary, DHS will work with the facility to revise and resubmit an acceptable plan. 4) Recognition of the progress many companies have already made in improving facility security leverages those advancements. Many companies have made significant capital investments in security since 9/11. Building on that progress in implementing the CFATS program will raise the overall security baseline at high-risk chemical facilities. On Nov. 20, 2007, the Department published Appendix A to CFATS, which lists 322 chemicals of interest including common industrial chemicals such as chlorine, propane, and anhydrous ammonia as well as specialty chemicals, such as arsine and phosphorus trichloride. The Department included chemicals based on the consequences associated with one or more of the following three security issues: 1) Release Toxic, flammable, or explosive chemicals that have the potential to create significant adverse consequences for human life or health if intentionally released or detonated; 2) Theft/Diversion Chemicals that have the potential, if stolen or diverted, to be used or converted into weapons that could cause significant adverse consequences for human life or health; and 3) Sabotage/Contamination Chemicals that, if mixed with other readily available materials, have the potential to create significant adverse consequences for human life or health. The Department also established a Screening Threshold Quantity for each chemical of interest based on its potential to create significant adverse consequences to human life or health in one or more of these ways. 2

3 Implementation and execution of the CFATS regulation requires the Department to identify which facilities it considers high-risk. The Department developed the Chemical Security Assessment Tool (CSAT) to identify potentially high-risk facilities and to provide methodologies that facilities can use to conduct SVAs and to develop SSPs. CSAT is a suite of online applications designed to facilitate compliance with the program; it includes user registration, the initial consequence-based screening tool (Top-Screen), an SVA tool, and an SSP template. Through the Top-Screen process, the Department initially identifies and sorts facilities based on their associated risks. If a facility is initially identified during the Top-Screen process as potentially having a level of risk subject to regulation under CFATS, the Department assigns the facility to one of four preliminary risk-based tiers, with Tier 1 representing the highest level of potential risk. Those facilities must then complete SVAs and submit them to the Department, although facilities preliminarily designated as Tier 4 facilities also have the option of submitting an Alternative Security Program (ASP). Results from the SVA inform the Department s final determinations as to whether a facility is in fact high-risk and, if so, of the facility s final tier assignment. Each SVA is carefully reviewed for its description of how chemicals of interest are actually held at the site, how those chemicals are managed, and for physical, cyber, and chemical security risks. After completing its review of a facility s SVA, the Department makes a final determination as to whether the facility is considered high-risk and assigns the facility a final risk-based tier. Final high-risk facilities are then required to develop an SSP or, if they so choose, an ASP that addresses its identified vulnerabilities and security issues. Only facilities that receive a final high-risk determination letter under CFATS will be required to complete and submit an SSP or, if the facility so chooses, an ASP. DHS final determinations of which facilities are high-risk are based on each facility s individual consequentiality and vulnerability as determined by its Top- Screen, SVA, and any other available information. The higher the facility s risk-based tier, the more robust the security measures and the more frequent and rigorous the inspections will be. The purpose of inspections is to validate the adequacy of a facility s SSP and to verify that measures identified in the plan are being implemented. Implementation Status To date, the Department has reviewed more than 39,000 Top-Screen consequence assessment questionnaires submitted by potentially high-risk chemical facilities. Since June 2008, we have notified more than 7,000 preliminarily tiered facilities that they have been initially designated as high-risk and are thus required to submit SVAs; we have nearly completed our review of the almost 6,200 SVAs that have been submitted. In May 2009, we began notifying facilities of their final high-risk determinations, risk-based tiering assignments, and the requirement to complete and submit an SSP or ASP. In May 2009, the Department issued 141 final tier determination letters to the highest risk (Tier 1) facilities, confirming their high-risk status and initiating the 120-day time frame for submitting an SSP. After issuing this initial set of final tier determinations, the Department periodically issued notifications to additional facilities of their final high-risk status. To date, more than 4,000 additional facilities have received final high-risk determinations and tier 3

4 assignments, and several hundred that were preliminarily tiered by DHS were informed that they are no longer considered high-risk. CFATS currently covers 4,755 high-risk facilities nationwide across all 50 states, of which 4,094 facilities have received final high-risk determinations and due dates for submission of an SSP or ASP. More than 4,000 facilities have submitted SSPs (or ASPs) to date, and the Department is in the process of reviewing these submissions. The Department continues to issue final tier notifications to facilities across all four risk tiers as additional final tier determinations are made by the Department. In February 2010, the Department began conducting inspections of final-tiered facilities, starting with the Tier 1-designated facilities, and has completed more than 175 pre-authorization inspections to date. The Department intends to use these initial inspections to help gain a comprehensive understanding of the processes, risks, vulnerabilities, response capabilities, security measures and practices, and any other factors that may be in place at a regulated facility that affect security risk in order to help facilities submit SSPs that can be approved under CFATS. After DHS issues a letter of authorization for a facility s SSP, DHS will conduct a comprehensive and detailed compliance inspection before making a final determination as to whether the facility has appropriately enacted their SSP. Facilities that have successfully implemented their approved SSPs and have passed an inspection will be considered in compliance with the required performance standards. A critical element of the Department s efforts to secure the nation s high-risk chemical facilities, the SSP enables final high-risk facilities to document their individual security strategies for meeting the Risk-Based Performance Standards (RBPS) established under CFATS. Each highrisk facility s security strategy will be unique, as it depends on the facility s risk level, security issues, characteristics, and other factors. Therefore, the SSP tool collects information on each of the 18 RBPS for each facility. The RBPS cover the fundamentals of security, such as restricting the area perimeter, securing site assets, screening and controlling access, cybersecurity, training and response. The SSP tool is designed to take into account the complicated nature of chemical facility security and allows facilities to describe both facility-wide and asset-specific security measures. The Department understands that the private sector generally, and CFATS-affected industries in particular, are dynamic. The SSP tool allows facilities to involve their subjectmatter experts from across the facility, company and corporation, as appropriate, in completing the SSP and submitting a combination of existing and planned security measures to satisfy the RBPS. The Department expects that most approved SSPs will consist of a combination of existing and planned security measures. Through a review of the SSP, in conjunction with an on-site inspection, DHS will determine whether a facility has met the requisite level of performance given its risk profile and thus whether its SSP should be approved. Along with the initial group of final Tier 1 notifications and the activation of the SSP tool in May 2009, DHS issued the Risk-Based Performance Standards Guidance document. The Department developed this guidance to assist high-risk chemical facilities subject to CFATS in determining appropriate protective measures and practices to satisfy the RBPS. It is designed to help facilities comply with CFATS by providing detailed descriptions of the 18 RBPS as well as examples of various security measures and practices that could enable facilities to achieve the 4

5 appropriate level of performance for the RBPS at each tier level. The Guidance also reflects public and private sector dialogue on the RBPS and industrial security, including public comments on the draft guidance document. High-risk facilities are free to make use of whichever security programs or processes they choose whether or not in the Guidance provided that they achieve the requisite level of performance under the CFATS RBPS. The Guidance will, however, help high-risk facilities gain a sense of what types and combination of security measures may satisfy the RBPS. The Department has also offered regular SSP training webinars to assist high-risk facilities with completing their SSPs. For additional context, I would like to provide you with an example of how some facilities may be approaching the development and submission of their SSPs: in the case of a Tier 1 facility with a release hazard security issue, the facility is required to restrict the area perimeter appropriately, which may include preventing breach by a wheeled vehicle. To meet this standard, the facility is able to consider numerous security measures, such as cable anchored in concrete block along with movable bollards at all active gates or perimeter landscaping (e.g., large boulders, steep berms, streams, or other obstacles) that would thwart vehicle entry. The Department will approve the security measure as long as it is determined by the Department to be sufficient to address the applicable performance standard. Under Section 550, the Department cannot mandate a specific security measure to approve the SSP. In June 2010, the Department issued its first Administrative Orders under CFATS to 18 chemical facilities for failure to submit an SSP. Throughout the remainder of the year, the Department issued an additional 47 Administrative Orders to chemical facilities that had failed to submit an SSP in a timely manner. Administrative Orders are the first step toward enforcement under CFATS. An Administrative Order does not impose a penalty or fine, but directs the facility to take specific action to comply with CFATS in this case, to complete the SSP within 10 days of receipt. If the facility does not comply with the Administrative Order, however, the Department may issue an Order Assessing Civil Penalty of up to $25,000 each day the violation continues, or an Order to Cease Operations. All 65 facilities that received an Administrative Order ultimately completed their SSPs following receipt of the Administrative Order, or providing amplifying information to the Department, that satisfactorily explained why they had failed to meet the deadline for submitting their SSPs, and thus, no further enforcement action was necessary. As CFATS implementation progresses, the Department expects to continue to exercise its enforcement authority to ensure CFATS compliance. Outreach Efforts Since the release of CFATS in April 2007, the Department has taken significant steps to publicize the rule and ensure that the regulated community and our security partners are aware of its requirements. As part of this outreach program, the Department has regularly updated impacted sectors through their Sector Coordinating Councils and the Government Coordinating Councils of industries most impacted by CFATS, including the Chemical, Oil and Natural Gas, and Food and Agriculture Sectors. We have also solicited feedback from our public and private sector partners and, where appropriate, have reflected that feedback in our implementation activities. As the program continues to mature, the Department participates in an average of 250 CFATS-specific outreach engagements annually, not including formal coordination activities 5

6 with individual facilities such as pre-authorization inspections and Compliance Assistance Visits. We have presented at numerous security and chemical industry conferences; participated in a variety of other meetings of relevant security partners; established a Help Desk for CFATS questions that receives between 40 and 80 calls daily; put in place a CFATS tip-line for anonymous chemical security reporting; and developed and regularly updated a highly regarded Chemical Security website ( This month, the Department updated the CFATS website to include a more robust, searchable Knowledge Center, which further supports the regulated community. These efforts are having a positive impact: again, more than 39,000 Top-Screens have been submitted to the Department via CSAT. In addition, the Department continues to focus on fostering solid working relationships with state and local officials as well as first responders in jurisdictions with high-risk facilities. To meet the risk-based performance standards under CFATS, facilities need to cultivate and maintain effective working relationships including a clear understanding of roles and responsibilities with local officials who aid in preventing, mitigating and responding to potential attacks. To facilitate these relationships, our inspectors have been actively working with facilities and officials in their areas of operation, and they have participated in more than 100 Local Emergency Planning Committee meetings to provide a better understanding of CFATS requirements. Last year, the Department, in collaboration with the State, Local, Tribal, and Territorial Government Coordinating Council, issued a tri-fold brochure which summarizes CFATS programs and processes for local emergency responders. In May 2010, the Department launched a web-based information-sharing portal called CFATS- Share. This tool provides interested state Homeland Security Advisors, DHS Protective Security Advisors, and fusion centers access to detailed CFATS facility information as needed. In the future, DHS plans to make this tool available to other federal security partners, such as the Federal Bureau of Investigation. The Department continues to improve the CFATS-Share web portal based on feedback from users. Additionally, the Department continues to actively collaborate across components within DHS and with other federal agencies in the area of chemical security, including routine coordination between the Department s National Protection and Programs Directorate (NPPD) and the United States Coast Guard (USCG), the Transportation Security Administration, the Department of Justice s Federal Bureau of Investigation and Bureau of Alcohol, Tobacco, Firearms and Explosives, the NRC, and the Environmental Protection Agency (EPA). One primary example of this coordination includes the establishment of a joint NPPD/USCG CFATS-MTSA Working Group to evaluate and, where appropriate, implement methods to harmonize the CFATS and MTSA regulations. Similarly, the Department has been working closely with the EPA to begin evaluating how the CFATS approach could be used for water and wastewater treatment facilities, should the water and wastewater treatment facility exemption be removed by Congress in future versions of chemical facility security or water facility security regulations. The Department also launched an Agricultural Facility Survey in July The goal of the survey is to provide the Department with additional information on the potential risks related to agricultural Chemicals of Interest throughout the distribution chain including manufacturers, distributors, retailers, commercial applicators, and end-users. The survey results will also help 6

7 the Department determine the most appropriate approach for addressing the existing extension of the CFATS Top Screen due date for agricultural production facilities. The Department received completed surveys from nearly 1,200 CFATS facilities and is currently analyzing the results to determine the best approach to take regarding agricultural production facilities. Internally, we are continuing to build the Infrastructure Security Compliance Division that is responsible for implementing CFATS. We have hired, or are in the process of on-boarding, more than 178 people, and we are continuing to hire throughout this fiscal year to meet our staffing goal of 268 positions. These numbers include our field inspector cadre, where we have hired 95 of 103 field inspector positions and 14 of 14 field leadership positions. Legislation to Permanently Authorize CFATS We have enjoyed the constructive dialogue with Congress, including Members of this Committee, as it contemplates new authorizing legislation. The Department recognizes the significant work that this Committee and others, including the Senate Committee on Homeland Security and Governmental Affairs, the Senate Committee on Environment and Public Works and the House Committee on Energy and Commerce, have completed in reauthorizing the CFATS program to date and to address chemical facility security. We appreciate this effort and look forward to continuing the constructive engagement with Congress on these important matters. The Department supports a permanent authorization for the CFATS program. The Department is committed to working with Congress and other security partners to pass stand-alone chemical security legislation that includes permanent authority beginning in FY The latest Continuing Resolution authorizes an extension of the statutory authority for CFATS, which otherwise would have sunset on Oct. 4, It is important to highlight that the Administration has developed a set of guiding principles for the reauthorization of CFATS. These principles are the foundation for the Department s position on permanent CFATS reauthorization: The Administration supports permanent authorization to regulate security of high-risk chemical facilities through risk-based performance standards. The Department should be given reasonable deadlines by Congress to promulgate new rules to implement any new legislative requirements. CFATS, as currently being implemented, should remain in effect until or unless it is supplemented by new regulations. The Administration supports, where possible, using safer technology, to enhance the security of the nation s high-risk chemical facilities. Similarly, we recognize that risk management requires balancing threat, vulnerabilities, and consequences with the costs and benefits of mitigating risk. In this context, the Administration has established the following policy principles in regard to inherently safer technologies (IST) at high-risk chemical facilities: 7

8 o The Administration supports consistency of IST approaches for facilities regardless of sector. o The Administration believes that all high-risk chemical facilities, Tiers 1-4, should assess IST methods and report the assessment in the facilities SSPs. o Further, the appropriate regulatory entity should have the authority to require facilities posing the highest degree of risk (Tiers 1 and 2) to implement IST method(s) if such methods demonstrably enhance overall security, are determined to be feasible, and, in the case of water sector facilities, consider public health and environmental requirements. o For Tier 3 and 4 facilities, the appropriate regulatory entity should review the IST assessment contained in the SSP. The entity should be authorized to provide recommendations on implementing IST, but it would not have the authority to require facilities to implement the IST methods. o The Administration believes that flexibility and staggered implementation would be required in implementing this new IST policy. The Administration supports maintaining the Department s current Chemical-terrorism Vulnerability Information regime for protecting sensitive information relating to chemical facility security. This regime is similar to, but distinct from, other Controlled Unclassified Information protection regimes. The Department supports amending the current exemption for drinking water and wastewater facilities to specify that the Environmental Protection Agency (EPA) would have the lead on regulating for security, with DHS supporting EPA to ensure consistency across all sectors. This consistency could be achieved, for example, by the use of CFATS compliance tools and risk analysis with modifications as necessary to reflect the uniqueness of the water sector and statutory requirements. As DHS and EPA have stated before, we believe that there is a critical gap in the U.S. chemical facility security regulatory framework namely, the exemption of drinking water and wastewater treatment facilities from CFATS. We need to work with Congress to close this gap to secure chemicals of interest at these facilities and to protect the communities that they serve; drinking water and wastewater treatment facilities that meet CFATS thresholds for chemicals of interest should be regulated. We do, however, recognize the unique public health and environmental requirements and responsibilities of such facilities. For example, we understand that a cease-operations order that might be appropriate for another facility under CFATS would have significant public health and environmental consequences when applied to a water facility. As you are aware, facilities regulated under MTSA authority are statutorily exempted from CFATS and thus are not required to submit Top-Screens to DHS. In order to help DHS develop a more comprehensive picture of security issues at the nation s chemical facilities, and to help DHS evaluate whether any regulatory gaps exist that may pose an unacceptable security risk, the Department has begun the process, with close cooperation between NPPD and USCG, for determining whether and how to require MTSA-covered facilities that possess CFATS chemicals of interest to complete and submit CFATS Top- Screens. 8

9 With respect to the other current statutory exemptions, the Department supports: o Maintaining the exemptions for both Defense and Energy Department facilities. Although the Department of Energy is exempt from the current statute, DOE policy does require chemical sabotage assessments utilizing the select agents lists and the adoption of protection measure where necessary; and o Amending the exemption for facilities regulated under the NRC to clarify the scope of the NRC exemption and to specify that DHS and the NRC shall work together to make a final determination on whether a facility or an area within a facility is subject to NRC regulation and is thus exempt from DHS regulation. Given the complexity of chemical facility regulation, implementation logistics, and resource implications, any requirements considered in prospective legislation should also be taken into account to avoid having the Department extensively revisit aspects of the program that are either currently in place or which will be implemented in the near future. Conclusion The Department is collaborating extensively with the public, including members of the chemical sector and other interested groups, to work toward our collective goals under the CFATS regulatory framework. In many cases, industry has voluntarily made tremendous progress to ensure the security and resiliency of its facilities and systems. As we implement CFATS, we will continue to work with industry, our federal partners, states, and localities to get the job done. The Administration recognizes that CFATS reauthorization requires further technical work. The Department is ready to engage in technical discussions with Committee staff, affected stakeholders, and others to work out the remaining details. We must focus our efforts on implementing a risk- and performance-based approach to regulation and, in parallel fashion, continue to pursue the voluntary programs that have already resulted in considerable success. We look forward to collaborating with the Committee, industry, and government partners to ensure that the chemical facility security regulatory effort achieves success in reducing risk in the chemical sector. Thank you for holding this important hearing. I would be happy to respond to any questions you may have. 9